/*
- Unix SMB/Netbios implementation.
- Version 2.2.
+ Unix SMB/CIFS implementation.
PAM Password checking
Copyright (C) Andrew Tridgell 1992-2001
Copyright (C) John H Terpsta 1999-2001
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
#include "includes.h"
-extern int DEBUGLEVEL;
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
#ifdef WITH_PAM
* which determines what actions/limitations/allowances become affected.
*********************************************************************/
+#if defined(HAVE_SECURITY_PAM_APPL_H)
#include <security/pam_appl.h>
+#elif defined(HAVE_PAM_PAM_APPL_H)
+#include <pam/pam_appl.h>
+#endif
/*
* Structure used to communicate between the conversation function
*/
struct smb_pam_userdata {
- char *PAM_username;
- char *PAM_password;
- char *PAM_newpassword;
+ const char *PAM_username;
+ const char *PAM_password;
+ const char *PAM_newpassword;
};
typedef int (*smb_pam_conv_fn)(int, const struct pam_message **, struct pam_response **, void *appdata_ptr);
/*
* Macros to help make life easy
*/
-#define COPY_STRING(s) (s) ? strdup(s) : NULL
+#define COPY_STRING(s) (s) ? SMB_STRDUP(s) : NULL
+#define COPY_FSTRING(s) (s[0]) ? SMB_STRDUP(s) : NULL
/*******************************************************************
PAM error handler.
*********************************************************************/
-static BOOL smb_pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
+static bool smb_pam_error_handler(pam_handle_t *pamh, int pam_error, const char *msg, int dbglvl)
{
if( pam_error != PAM_SUCCESS) {
failure as sucess.
*********************************************************************/
-static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
- char *msg, int dbglvl,
+static bool smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
+ const char *msg, int dbglvl,
NTSTATUS *nt_status)
{
+ *nt_status = pam_to_nt_status(pam_error);
+
if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
return True;
return PAM_CONV_ERR;
}
- reply = malloc(sizeof(struct pam_response) * num_msg);
+ reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
if (!reply)
return PAM_CONV_ERR;
all_string_sub(buf, "\\t", "\t", 0);
}
-static void pwd_sub(char *buf, char *username, char *oldpass, char *newpass)
+static void pwd_sub(char *buf, const char *username, const char *oldpass, const char *newpass)
{
- pstring_sub(buf, "%u", username);
+ fstring_sub(buf, "%u", username);
all_string_sub(buf, "%o", oldpass, sizeof(fstring));
all_string_sub(buf, "%n", newpass, sizeof(fstring));
}
Create a linked list containing chat data.
***************************************************************/
-static struct chat_struct *make_pw_chat(char *p)
+static struct chat_struct *make_pw_chat(const char *p)
{
- fstring prompt;
- fstring reply;
+ char *prompt;
+ char *reply;
struct chat_struct *list = NULL;
struct chat_struct *t;
- struct chat_struct *tmp;
+ TALLOC_CTX *frame = talloc_stackframe();
while (1) {
- t = (struct chat_struct *)malloc(sizeof(*t));
+ t = SMB_MALLOC_P(struct chat_struct);
if (!t) {
DEBUG(0,("make_pw_chat: malloc failed!\n"));
+ TALLOC_FREE(frame);
return NULL;
}
ZERO_STRUCTP(t);
- DLIST_ADD_END(list, t, tmp);
+ DLIST_ADD_END(list, t, struct chat_struct*);
- if (!next_token(&p, prompt, NULL, sizeof(fstring)))
+ if (!next_token_talloc(frame, &p, &prompt, NULL)) {
break;
+ }
- if (strequal(prompt,"."))
+ if (strequal(prompt,".")) {
fstrcpy(prompt,"*");
+ }
special_char_sub(prompt);
fstrcpy(t->prompt, prompt);
- strlower(t->prompt);
- trim_string(t->prompt, " ", " ");
+ strlower_m(t->prompt);
+ trim_char(t->prompt, ' ', ' ');
- if (!next_token(&p, reply, NULL, sizeof(fstring)))
+ if (!next_token_talloc(frame, &p, &reply, NULL)) {
break;
+ }
- if (strequal(reply,"."))
- fstrcpy(reply,"");
+ if (strequal(reply,".")) {
+ fstrcpy(reply,"");
+ }
special_char_sub(reply);
fstrcpy(t->reply, reply);
- strlower(t->reply);
- trim_string(t->reply, " ", " ");
+ strlower_m(t->reply);
+ trim_char(t->reply, ' ', ' ');
}
+ TALLOC_FREE(frame);
return list;
}
fstring current_prompt;
fstring current_reply;
struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
- struct chat_struct *pw_chat= make_pw_chat(lp_passwd_chat());
+ struct chat_struct *pw_chat;
struct chat_struct *t;
- BOOL found;
+ bool found;
*resp = NULL;
DEBUG(10,("smb_pam_passchange_conv: starting converstation for %d messages\n", num_msg));
if (num_msg <= 0)
return PAM_CONV_ERR;
- if (pw_chat == NULL)
+ if ((pw_chat = make_pw_chat(lp_passwd_chat())) == NULL)
return PAM_CONV_ERR;
/*
return PAM_CONV_ERR;
}
- reply = malloc(sizeof(struct pam_response) * num_msg);
+ reply = SMB_MALLOC_ARRAY(struct pam_response, num_msg);
if (!reply) {
DEBUG(0,("smb_pam_passchange_conv: malloc for reply failed!\n"));
free_pw_chat(pw_chat);
case PAM_PROMPT_ECHO_ON:
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: PAM said: %s\n", msg[replies]->msg));
fstrcpy(current_prompt, msg[replies]->msg);
- trim_string(current_prompt, " ", " ");
+ trim_char(current_prompt, ' ', ' ');
for (t=pw_chat; t; t=t->next) {
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: trying to match |%s| to |%s|\n",
t->prompt, current_prompt ));
- if (wild_match(t->prompt, current_prompt) == 0) {
+ if (unix_wild_match(t->prompt, current_prompt)) {
fstrcpy(current_reply, t->reply);
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We sent: %s\n", current_reply));
pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_ON: We actualy sent: %s\n", current_reply));
#endif
reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = COPY_STRING(current_reply);
+ reply[replies].resp = COPY_FSTRING(current_reply);
found = True;
break;
}
case PAM_PROMPT_ECHO_OFF:
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: PAM said: %s\n", msg[replies]->msg));
fstrcpy(current_prompt, msg[replies]->msg);
- trim_string(current_prompt, " ", " ");
+ trim_char(current_prompt, ' ', ' ');
for (t=pw_chat; t; t=t->next) {
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: trying to match |%s| to |%s|\n",
t->prompt, current_prompt ));
- if (wild_match(t->prompt, current_prompt) == 0) {
+ if (unix_wild_match(t->prompt, current_prompt)) {
fstrcpy(current_reply, t->reply);
DEBUG(10,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We sent: %s\n", current_reply));
pwd_sub(current_reply, udp->PAM_username, udp->PAM_password, udp->PAM_newpassword);
reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = COPY_STRING(current_reply);
+ reply[replies].resp = COPY_FSTRING(current_reply);
#ifdef DEBUG_PASSWORD
DEBUG(100,("smb_pam_passchange_conv: PAM_PROMPT_ECHO_OFF: We actualy sent: %s\n", current_reply));
#endif
Allocate a pam_conv struct.
****************************************************************************/
-static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, char *user,
- char *passwd, char *newpass)
+static struct pam_conv *smb_setup_pam_conv(smb_pam_conv_fn smb_pam_conv_fnptr, const char *user,
+ const char *passwd, const char *newpass)
{
- struct pam_conv *pconv = (struct pam_conv *)malloc(sizeof(struct pam_conv));
- struct smb_pam_userdata *udp = (struct smb_pam_userdata *)malloc(sizeof(struct smb_pam_userdata));
+ struct pam_conv *pconv = SMB_MALLOC_P(struct pam_conv);
+ struct smb_pam_userdata *udp = SMB_MALLOC_P(struct smb_pam_userdata);
if (pconv == NULL || udp == NULL) {
SAFE_FREE(pconv);
* PAM Closing out cleanup handler
*/
-static BOOL smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
+static bool smb_pam_end(pam_handle_t *pamh, struct pam_conv *smb_pam_conv_ptr)
{
int pam_error;
* Start PAM authentication for specified account
*/
-static BOOL smb_pam_start(pam_handle_t **pamh, char *user, char *rhost, struct pam_conv *pconv)
+static bool smb_pam_start(pam_handle_t **pamh, const char *user, const char *rhost, struct pam_conv *pconv)
{
int pam_error;
+#ifdef PAM_RHOST
+ const char *our_rhost;
+ char addr[INET6_ADDRSTRLEN];
+#endif
*pamh = (pam_handle_t *)NULL;
return False;
}
+#ifdef PAM_RHOST
if (rhost == NULL) {
- rhost = client_name();
- if (strequal(rhost,"UNKNOWN"))
- rhost = client_addr();
+ our_rhost = client_name(get_client_fd());
+ if (strequal(our_rhost,"UNKNOWN"))
+ our_rhost = client_addr(get_client_fd(),addr,sizeof(addr));
+ } else {
+ our_rhost = rhost;
}
-#ifdef PAM_RHOST
- DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", rhost));
- pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
+ DEBUG(4,("smb_pam_start: PAM: setting rhost to: %s\n", our_rhost));
+ pam_error = pam_set_item(*pamh, PAM_RHOST, our_rhost);
if(!smb_pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
smb_pam_end(*pamh, pconv);
*pamh = (pam_handle_t *)NULL;
/*
* PAM Authentication Handler
*/
-static NTSTATUS smb_pam_auth(pam_handle_t *pamh, char *user)
+static NTSTATUS smb_pam_auth(pam_handle_t *pamh, const char *user)
{
int pam_error;
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
switch( pam_error ){
case PAM_AUTH_ERR:
- DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user));
- nt_status = NT_STATUS_WRONG_PASSWORD;
+ DEBUG(2, ("smb_pam_auth: PAM: Authentication Error for user %s\n", user));
break;
case PAM_CRED_INSUFFICIENT:
DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
- nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO;
break;
case PAM_AUTHINFO_UNAVAIL:
DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
break;
case PAM_USER_UNKNOWN:
DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
- nt_status = NT_STATUS_NO_SUCH_USER;
break;
case PAM_MAXTRIES:
DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
- nt_status = NT_STATUS_REMOTE_SESSION_LIMIT;
break;
case PAM_ABORT:
DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
break;
case PAM_SUCCESS:
DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
- nt_status = NT_STATUS_OK;
break;
default:
DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
break;
}
/*
* PAM Account Handler
*/
-static NTSTATUS smb_pam_account(pam_handle_t *pamh, char * user)
+static NTSTATUS smb_pam_account(pam_handle_t *pamh, const char * user)
{
int pam_error;
NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
switch( pam_error ) {
case PAM_AUTHTOK_EXPIRED:
DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
- nt_status = NT_STATUS_PASSWORD_EXPIRED;
break;
case PAM_ACCT_EXPIRED:
DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
- nt_status = NT_STATUS_ACCOUNT_EXPIRED;
break;
case PAM_AUTH_ERR:
DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
break;
case PAM_PERM_DENIED:
DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
- nt_status = NT_STATUS_ACCOUNT_RESTRICTION;
break;
case PAM_USER_UNKNOWN:
DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
- nt_status = NT_STATUS_NO_SUCH_USER;
break;
case PAM_SUCCESS:
DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
- nt_status = NT_STATUS_OK;
break;
default:
- nt_status = NT_STATUS_ACCOUNT_DISABLED;
DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
break;
}
* PAM Credential Setting
*/
-static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, char * user)
+static NTSTATUS smb_pam_setcred(pam_handle_t *pamh, const char * user)
{
int pam_error;
NTSTATUS nt_status = NT_STATUS_NO_TOKEN;
switch( pam_error ) {
case PAM_CRED_UNAVAIL:
DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
- nt_status = NT_STATUS_NO_TOKEN;
break;
case PAM_CRED_EXPIRED:
DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
- nt_status = NT_STATUS_PASSWORD_EXPIRED;
break;
case PAM_USER_UNKNOWN:
DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
- nt_status = NT_STATUS_NO_SUCH_USER;
break;
case PAM_CRED_ERR:
DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
- nt_status = NT_STATUS_LOGON_FAILURE;
break;
case PAM_SUCCESS:
DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
- nt_status = NT_STATUS_OK;
break;
default:
DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
- nt_status = NT_STATUS_NO_TOKEN;
break;
}
/*
* PAM Internal Session Handler
*/
-static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag)
+static bool smb_internal_pam_session(pam_handle_t *pamh, const char *user, const char *tty, bool flag)
{
int pam_error;
* Internal PAM Password Changer.
*/
-static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user)
+static bool smb_pam_chauthtok(pam_handle_t *pamh, const char * user)
{
int pam_error;
* PAM Externally accessible Session handler
*/
-BOOL smb_pam_claim_session(char *user, char *tty, char *rhost)
+bool smb_pam_claim_session(char *user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
struct pam_conv *pconv = NULL;
* PAM Externally accessible Session handler
*/
-BOOL smb_pam_close_session(char *user, char *tty, char *rhost)
+bool smb_pam_close_session(char *user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
struct pam_conv *pconv = NULL;
* PAM Externally accessible Account handler
*/
-NTSTATUS smb_pam_accountcheck(char * user)
+NTSTATUS smb_pam_accountcheck(const char * user)
{
NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
pam_handle_t *pamh = NULL;
* PAM Password Validation Suite
*/
-NTSTATUS smb_pam_passcheck(char * user, char * password)
+NTSTATUS smb_pam_passcheck(const char * user, const char * password)
{
pam_handle_t *pamh = NULL;
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
* PAM Password Change Suite
*/
-BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword)
+bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword)
{
/* Appropriate quantities of root should be obtained BEFORE calling this function */
struct pam_conv *pconv = NULL;
#else
/* If PAM not used, no PAM restrictions on accounts. */
- NTSTATUS smb_pam_accountcheck(char * user)
+NTSTATUS smb_pam_accountcheck(const char * user)
{
return NT_STATUS_OK;
}
/* If PAM not used, also no PAM restrictions on sessions. */
- BOOL smb_pam_claim_session(char *user, char *tty, char *rhost)
+bool smb_pam_claim_session(char *user, char *tty, char *rhost)
{
return True;
}
/* If PAM not used, also no PAM restrictions on sessions. */
- BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost)
+bool smb_pam_close_session(char *in_user, char *tty, char *rhost)
{
return True;
}
git.samba.org / ira / wip.git / blobdiff